Booting a GELI encrypted hard disk

[Steve Bertrand]

>>> As you can see only /home is encrypted because the rest doesn't hold
>>> data worth encrypting.
>> Well, on mine it will.
> 
> I was talking about my system. Yours will of course be different. :-)

I know. I was not trying to be sarcastic in any way. Sorry if it seemed
that way :)

> You can even encrypt /tmp with a one-time key (see 'geli onetime').

I will likely do this with /tmp and swap.

> Also have a look at the geli_* variables in /etc/defaults/rc.conf.

Will do.

> It only needs to be present during creation of the GELI devices (geli
> attach). The rc scripts know they have to load GELI and attach the
> devices if they see an .eli device in /etc/fstab. Geli will ask for the
> passphrase(s) during boot-up if you're using them. You can specify which
> key-file to use in the geli_[devicename]_flags variable in /etc/rc.conf
> 
> However using a USB device presents it's own problems. If you plug-in a
> USB stick there's no telling which device node it ends up with,
> depending on how many other USB devices are on the bus. To make device
> recognition easier, you should use a GEOM label on the USB stick, so
> you'll know which /dev/label/* device node it gets. And you'd probably
> have to hack an rc script to mount the USB stick _before_ the system
> tries to attach the GELI device(s).

Getting around these issues is trivial. The only requirement is that my
thumbdrive comes with me after the machine is reloaded.

> And remember that this USB stick is another thing you have to back-up
> and store in a safe place. It would be bad if you lost your data because
> your USB stick died or got lost.

Understood. This has been considered, and it's exactly what I do with my
TrueCrypt encrypted information on my Windows workstation.

Steve